Don’t Mind the Gap

[Pages:64]Don't Mind the Gap: Bridging Network-wide Objectives and Device-level Configurations

Ryan Beckett (Princeton, MSR) Ratul Mahajan (MSR) Todd Millstein (UCLA) Jitu Padhye (MSR) David Walker (Princeton)

Configuring Networks is Error-Prone

~60% of network downtime is caused by human error

-Yankee group 2002

50-80% of outages from configuration changes

-Juniper 2008

2

Configuring Networks is Error-Prone

Sign In | Register

YouTube/Pakistan incident: Could something similar whack your site?

Configuring BGP properly is key to avoidance, 'Net registry official says

By Carolyn Duffy Marsan

Network World | Mar 10, 2008 1:00 AM PT

In light of Pakistan Telecom/YouTube incident, Internet registry official explains how you can avoid having your web site victimized by such an attack. When Pakistan Telecom blocked YouTube's traffic one Sunday evening in February, the ISP created an international incident that wreaked havoc on the popular video site for more than two hours. RIPE NCC, the European registry for Internet addresses, has conducted an analysis of what happened during Pakistan Telecom's hijacking of YouTube's traffic and the steps that YouTube took to stop the attack. We posed some questions to RIPE NCC's Chief Scientist Daniel Karrenberg about the YouTube incident. Here's what he had to say:

How frequently do hijacking incidents like the Pakistan Telecom/YouTube incident happen? Misconfigurations of iBGP (internal BGP, the protocol used between the routers in the same Autonomous System) happen regularly and are usually the result of an error. One such misconfiguration caused the Pakistan Telecom/YouTube incident. It appears that the Pakistan Telecom/YouTube incident was not an "attack" as some have labeled it, but a configuration error. (See Columnist Johna Till Johnson's take on the topic.) What is significant about the YouTube incident?

3

Configuring Networks is Error-Prone

Sign In | Register

YouTube/Pakistan incident: Could something similar whack your site?

Configuring BGP properly is key to avoidance, 'Net registry official says

By Carolyn Duffy Marsan

Network World | Mar 10, 2008 1:00 AM PT

In light of Pakistan Telecom/YouTube incident, Internet registry official explains how you can avoid having your web site victimized by such an attack. When Pakistan Telecom blocked YouTube's traffic one Sunday evening in February, the ISP created an international incident that wreaked havoc on the popular video site for more than two hours. RIPE NCC, the European registry for Internet addresses, has conducted an analysis of what happened during Pakistan Telecom's hijacking of YouTube's traffic and the steps that YouTube took to stop the attack. We posed some questions to RIPE NCC's Chief Scientist Daniel Karrenberg about the YouTube incident. Here's what he had to say:

How frequently do hijacking incidents like the Pakistan Telecom/YouTube incident happen? Misconfigurations of iBGP (internal BGP, the protocol used between the routers in the same Autonomous System) happen regularly and are usually the result of an error. One such misconfiguration caused the Pakistan Telecom/YouTube incident. It appears that the Pakistan Telecom/YouTube incident was not an "attack" as some have labeled it, but a configuration error. (See Columnist Johna Till Johnson's take on the topic.) What is significant about the YouTube incident?

4

Configuring Networks is Error-Prone

2/5/2016

Log in Sign up

China routing snafu briefly mangles interweb ? The Register

Cash'n'Carrion Whitepapers The Channel The Next Platform

,

Sign In | Register

YouTube/Pakistan incident: Could something similar whack

your site?

DATA CENTER SOFTWARE NETWORKS SECURITY INFRASTRUCTURE DEVOPS BUSINESS HARDWARE SCIENCE BOOTNOTES FORUMS

Networks Broadband

Configuring BGP properly is key to avoidance, 'Net registCrhyinoaffriocuiatilng snafu briefly mangles interweb

says

Cockup, not conspiracy

More like this

China Network Security

By Carolyn Duffy Marsan

Network World | Mar 10, 2008 1:00 AM PT

9 Apr 2010 at 12:24, John Leyden

5

0

Bad routing information sourced from China has disrupted the internet for the second time in a fortnight.

Global BGP (Border Gateway Routing) lookup tables sucked in data from a small ISP called IDC China Telecommunication, apparently accidentally broadcast by stateowned carrier China Telecommunications, IDG reports. ISPs including AT&T, France Telcom, Level3, Deutsche Telekom, Qwest and Telefonica accepted illthought out traffic routes as a result of the incident.

About the FT

Viewing

BGP is a core routing protocol which maps options for the best available routes for traffic to flow across

the net. Several routing options are normally included. The China BGP incident is the internet routing

In light of Pakistan Telecom/YouTube incident, Internet registry official explains how youeqcuiavanlenat vofoTiodmThoamvpiunbglishing routes via Shanghai for motorists looking for alternative routes

your web site victimized by such an attack.

between London and Paris.

IDC China Telecommunication published illconceived routes for between 32,000 and 37,000 networks

When

Pakistan

Telecom

blocked

YouTube's

traffic

one

Sunday

evening

in

February,

the ISP created an about 10 per cent of the net instead of the normal 40 or so routes, and this information was taken as viable routing options by many service providers for about 20 minutes early on Thursday morning (US

international incident that wreaked havoc on the popular video site for more than twotimhe)oaufterrsC.hina Telecommunications republished it and before the mixup was resolved. Routers in Asia would have been more likely to adopt the false routes as potentially viable, but effects of the

incident were recorded all over the world.

RIPE NCC, the European registry for Internet addresses, has conducted an analysis of what happened , a BGP monitoring service, has a detailed technical writeup of the snafu, which it

during Pakistan Telecom's hijacking of YouTube's traffic and the steps that YouTube tdoesockribetdoasstaopprefitxhheijack, here.

attack.

Although it seems they [IDC China Telecommunication] have leaked a whole table, only

about 10 per cent of these prefixes propagated outside of the Chinese network. These

We posed some questions to RIPE NCC's Chief Scientist Daniel Karrenberg about the YoinucTluudebpereifnixecsidfoer npotp.ular websites such as , , amazon.de,

and geocities.jp.

Here's what he had to say:

A large number of networks impacted this morning were actually Chinese networks. These

include some popular Chinese website such as , .cn ,

, and

How frequently do hijacking incidents like the Pakistan Telecom/YouTube incideAnctochkauppips seunsp?ected, rather than a conspiracy, at least by .

0:15

The surest investment you'll make this year

The FT's comprehensive coverage of global business provides the insight and analysis you need to stay one step ahead in 2016 and beyond.

The surest investment you'll make this year. Subscribe & save 33%

Most read

Given the large number of prefixes and short interval I don't believe this is an intentional

Misconfigurations of iBGP (internal BGP, the protocol used between the routers in the shaijamcke. Most likely it's because of configuration issue, i.e. fat fingers. But again, this is just

Autonomous System) happen regularly and are usually the result of an error. One suchspeculation.

misconfiguration caused the Pakistan Telecom/YouTube incident. It appears that theTPheapkraisctticaalnconsequences of the screwup are still being assessed but it could have resulted in dropped connections or, worse, traffic routed through unknown systems in China. The mess provides

Telecom/YouTube incident was not an "attack" as some have labeled it, but a configuornaetoifothne celerarreosrt .illu(sStreateions of the security shortcomings of BGP, a somewhat obscure but

Columnist Johna Till Johnson's take on the topic.)

nonetheless important network protocol.

What is significant about the YouTube incident?

The China BGP global routing represents a rare but not unprecedented mixup in global internet traffic management. For example, just two weeks ago bad routing data resulted in the redirection of Chilean internet traffic through a DNS (Domain Name System) server in China, as explained in a detailed post mortem by internet monitoring firm Renesys here. Bad BGP routing information from Pakistan caused



German Chancellor fires hydrogen plasma with the push of a button

Who would code a self destruct feature into their own web browser? Oh, hello, Apple

Who wants a quadcore 4.2GHz, 64GB, 5TB SSD

RAID 10 ... laptop?

1/4

5

Configuring Networks is Error-Prone

2/5/2016

2/5/2016 China routing snafu briefly mangles interweb ? The Register

Internet-Wide Catastrophe--Last Year - Dyn Research | The New Home Of Renesys

Log in Sign up

??

Cash'n'Carrion Whitepapers The Channel The Next Platform

Search

,

Sign In | Register

YouTube/Pakistan incident: Could something similar whack

your site?

DATA CENTER SOFTWARE NETWORKS SECURITY INFRASTRUCTURE DEVOPS BUSINESS HARDWARE SCIENCE BOOTNOTES FORUMS

Networks Broadband

Configuring BGP properly is key to avoidance, 'Net registCrhyinoaffriocuiatilng snafu briefly mangles interweb

says

Cockup, not conspiracy

More like this

China Network Security

By Carolyn Duffy Marsan

Network World | Mar 10, 2008 1:00 AM PT

9 Apr 2010 at 12:24, John Leyden

5

0

HOME

Bad routing information sourced from China has disrupted the internet for the second time in a fortnight.

Global BGP (Border Gateway Routing) lookup tables sucked in data from a small ISP called IDC China Telecommunication, apparently accidentally broadcast by stateowned carrier China Telecommunications, IDG reports. ISPs including AT&T, France Telcom, Level3, Deutsche Telekom, Qwest and Telefonica accepted illthought out traffic routes as a result of the incident.

TOPIACSbout the FTPRESENTATIONS

Viewing

ABOUT

BGP is a core routing protocol which maps options for the best available routes for traffic to flow across the net. Several routing options are normally included. The China BGP incid2entDisECthEeMinBtEerRne2t4ro, u2t0in0g5

In light of Pakistan Telecom/YouTube incident, Internet registry official explains how youeqcuiavanlenat vofoTiodmThoamvpiunbglishing routes via Shanghai for motorists looking for alternative routes

? COMMENTS (0)

your web site victimized by such an attack.

between London and Paris.

1 ENGINEERING

TODD UNDERWOOD

- VIEWS: 3038

0:15

IDC China Telecommunication published illconceived routes for between 32,000 and 37,000 networks

The surest investment

Internet-Wide When

Pakistan

Telecom

blocked

YouTube's

traffic

one

Sunday

evening

in

February,

the ISP created an about 10 per cent of the net instead of the normal 40 or so routes, and this information was taken as viable routing options by many service providers for about 20 minutes early on Thursday morning (US

international incident that wreaked havoc on the popular video site for more than twotimhe)oaufterrsC.hina Telecommunications republished it and before the mixup was resolved. Routers in Asia would have been more likely to adopt the false routes as potentially viable, but effects of the

you'll make this year

The FT's comprehensive coverage of global business provides the insight and analysis you need to stay one

Catastrophe--Last Year incident were recorded all over the world.

RIPE NCC, the European registry for Internet addresses, has conducted an analysis of what happened , a BGP monitoring service, has a detailed technical writeup of the snafu, which it

during Pakistan Telecom's hijacking of YouTube's traffic and the steps that YouTube tdoesockribetdoasstaopprefitxhheijack, here.

step ahead in 2016 and beyond.

attack.

Although it seems they [IDC China Telecommunication] have leaked a whole table, only

about 10 per cent of these prefixes propagated outside of the Chinese network. These

We posed some questions to RIPE NCC's Chief Scientist Daniel Karrenberg about the YoinucTluudebpereifnixecsidfoer npotp.ular websites such as , , amazon.de,

and geocities.jp.

Here's what he had to say:

A large number of networks impacted this morning were actually Chinese networks. These

The surest investment you'll make this year.

Subscribe & save 33%

include some popular Chinese website such as , .cn ,

, and

One year ago today TTNet in Turkey (AS9121) pretended to be the entire

How frequently do hijacking incidents like the Pakistan Telecom/YouTube incideAnctochkauppips seunsp?ected, rather than a conspiracy, at least by BGPmon.nIent.ternet. And unfortunateMlyosfotrrethaed rest of the Internet, many large

Given the large number of prefixes and short interval I don't belienveettwhisoirskanpirnotevnitdioenarls believed them (orGaertmleanasCthbanecleiellvorefdiretshem in part). As

Misconfigurations of iBGP (internal BGP, the protocol used between the routers in the shaijamcke. Most likely it's because of configuration issue, i.e. fat fingfearsr. aBsut aagnayino, tnheis iksnjuoswt s, it was a mistahkyed,rongoetn aplamsmalaicwioithutsheact. But the

Autonomous System) happen regularly and are usually the result of an error. One suchspeculation.

push of a button

consequences were far from benign: for several hours a large number of

misconfiguration caused the Pakistan Telecom/YouTube incident. It appears that theTPheapkraisctticaalnconsequences of the screwup are still being assessed but it could have resulted in dropped connections or, worse, traffic routed through unknown systemsInintC?ehPrinnraee.vTtiohuessmeSetrsossrypwroveidrees

Telecom/YouTube incident was not an "attack" as some have labeled it, but a configuornaetoifothne celerarreosrt .illu(sStreateions of the security shortcomings of BGP, a somewhat obscure but

unable

to

Who would code a self

reachdaesltarurgctefenautumrebinetor tohfeiIrnternet

sites.

Columnist Johna Till Johnson's take on the topic.)

nonetheless important network protocol.

Twelve months later we can take a loowonkwaetb wbrhowastehr?apOph,ened, and whether

hello, Apple

The China BGP global routing represents a rare but not unprecedentedwmiex'uvpeinlgeloabranl ientdernmet utracffhic in the intervening time.

What is significant about the YouTube incident?

management. For example, just two weeks ago bad routing data resulted in the redirection of Chilean

Who wants a quadcore

internet mortem

traffic through a DNS (Domain Name System) by internet monitoring firm Renesys here. Bad

sBeGrvPerroinutCinhgininaf,oaErmsaearxtilpoylnaifCnroehmd riPnisaaktidmsetataanislceadEupsvoesedt

morning

2004, 4T.2TGNHezt,

6(A4GSB9,152T1B) SsStaDrted

announcing



RAID 10 ... laptop?

1/4



OUTAGES

DYN CONTENT

HUB

Popular Authors Archives

The New Threat: Targeted Internet Traffic Misdirection

NOVEMBER 19, 2013

Egypt Leaves the Internet

JANUARY 27, 2011

Internet Touches Next StoHrya?lf Million Routes: Outages Possible Next Week

AUGUST 13, 2014

1/5

6

Fundamental Tradeoff?

Configuration

Distributed

Centralized

Distributed Control Mechanism

Centralized

7

Fundamental Tradeoff?

Configuration

Distributed

Centralized

Distributed

Control Mechanism

OSPF RIP BGP

Scalability Robustness Complexity

Centralized

8

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download